On 08.03.2025 00:31, Craig Huckabee wrote:
If your OCSP certificate lacks the OCSP specific OID it will fail that basic verification process.
That was indeed the case - thank you! It was driving me nuts. My current working solution is to use an intermediate CA to sign server.pem and client certificates. It also signs the OCSP responder certificate, which has the EKU set to OCSPSigning. For anyone wondering why an intermediate CA is necessary, the reason is that OpenSSL complains about self-signed certificate in the chain when the OCSP responder certificate is signed directly by the root CA. For completeness, I'll also mention that trying to add the OCSPSigning flag directly to the root CA results in the following errors: (5) eap_tls: ERROR: (TLS) OpenSSL says error 26 : unsuitable certificate purpose (5) eap_tls: (TLS) TLS - send TLS 1.2 Alert, fatal unsupported_certificate (5) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:unsupported certificate (5) eap_tls: ERROR: (TLS) TLS - Server : Error in error (5) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000086:SSL routines::certificate verify failed (5) eap_tls: ERROR: (TLS) System call (I/O) error (-1) (5) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation (5) eap_tls: ERROR: [eaptls process] = fail Regards, Przemyslaw Basa